Agent-safe signing: keys for autonomous AI agents

AI agents are starting to move money on Solana — swapping, paying, rebalancing on their own. The unsolved problem is the key: an agent that can transact usually holds a raw private key, which means one prompt injection or leaked log can drain the wallet. Agent-safe signing fixes that by never giving the agent the key at all.

The danger with agents and keys

To send a Solana transaction, something has to sign it with a private key. The naive way to let an agent transact is to put a hot-wallet key in its environment. But an autonomous agent is exactly the wrong thing to trust with a raw key: it follows instructions it reads, and those instructions can be poisoned. A single prompt injection — a malicious string in a webpage, an email, a tool response — can convince the agent to send everything to an attacker. The key in memory is a single point of total failure.

The fix: separate the agent from the key

Agent-safe signing puts a policy-gated signer between the agent and the key. The agent can propose transactions; it can never sign them. The signer holds the key in an isolated environment, checks each proposed transaction against a policy, and signs only what passes.

AI agent──build tx──▶Coldstar signer
+ policy
──if allowed──▶Solana
the agent never touches private key — it lives behind the gate

What a signing policy enforces

The policy is the whole point: it bounds the worst case no matter how the agent misbehaves. Typical rules:

A compromised, jailbroken, or simply hallucinating agent can still only do what the policy permits. The blast radius is capped by design, not by hoping the agent behaves.

Why Coldstar fits this natively

Coldstar was built as a CLI-first, scriptable signer — the same architecture that makes it air-gapped for humans makes it the right shape for agents. The key is decrypted only in isolated, memory-locked RAM at signing time; the signing step is a programmable boundary where policy lives. One consistent model runs across the whole spectrum:

A $10 personal wallet, a DAO or fund treasury with multisig, and an autonomous agent with a spending policy all use the same flash → sign → broadcast core. Coldstar is the open-source, keyless signing standard underneath all three.

That's the direction the ecosystem is moving: as frameworks like Solana Agent Kit let agents act on-chain, the missing primitive is a signer they can call but never own. Agent-safe signing is that primitive.

Frequently asked questions

How does an agent sign without holding the key?

The agent builds a transaction and submits it to a signer, not to the key. The signer holds the key in an isolated environment, checks the transaction against a policy, and only then signs. The agent never sees the private key.

What is a signing policy?

Rules the signer enforces before signing: max amount per transaction, allowed programs or recipients, rate limits, and time windows. Anything outside the policy is rejected, so a compromised agent cannot drain funds.

Why not just give the agent a hot-wallet key?

A raw key in an agent's environment is a single point of total failure — a prompt injection, a leaked log, or a bad dependency exposes everything. Policy-gated signing bounds the worst case to what the policy allows.

Is this available today?

Coldstar's signing core ships now (CLI and Seeker app). The agent-policy layer is part of the roadmap and the reason the architecture is CLI-first and scriptable; the policy-engine audit is part of the planned third-party review.

Build on the signer

Open source, CLI-first, scriptable — the signing core is on GitHub today.

pip install coldstar